IT Examiner School

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls ‐ attesting to controls based on servicer’s account of controls ‐ no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six ‐ month period • Auditor expresses an opinion based on their testing

There are two types of Service

Organization Control (SOC) Reports:

Audit Reporting/Follow-up Similar to Safety & Soundness: o IT Audit reporting channels  what is being reported and to whom o Senior Management Responses  are they reasonable and corrective timeframe is appropriate o Exception Tracking  show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)